Amazon SES SPF and DKIM Configuration | EasyDMARC

Amazon SES SPF and DKIM Configuration: Step By Step Guide

4 Min Read
Amazon SES SPF and DKIM Configuration

This instructional article will demonstrate the  Amazon SES configuration process of Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) Signatures to ensure Amazon SES passes the DMARC alignment check and eliminates spam from your domain, and increase security.

The SPF record identifies the mail servers and domains that are allowed to send email on behalf of your domain. The DKIM record, on the other hand, is a specially formatted DNS TXT record that stores the public key the receiving mail server will use to verify a message’s signature. These email authentication methods will be used to prove to ISPs and mail services that senders are truly authorized to send email from a particular domain and are a way of verifying your email-sending server is sending emails through your domain.

First, let’s observe the current settings in our AmazonSES portal and evaluate the steps needed to be taken in order to achieve SPF & DKIM Authentication.

Please head to Configuration > Verified identities

In this section, our current settings are:

  • DKIM Signing: n/a or Off – This states that a customized DKIM Signature is not in place for AmazonsSES. This will invalidate and mark DKIM as a Fail.
  • MAIL FROM Domain: amazonses.com – This states that the Return-Path domain being used is amazonses.com and not our customized domain. This will invalidate and mark SPF as a Fail.

Generate DKIM Settings

Please head to Authentication on the Verified Identities page

AmazonSES will provide 3 CNAME Records for DKIM Settings. The next step is to implement these CNAME Records in our DNS Zone (In our case, Cloudflare).

1st Record:

Type: CNAME
Name: gmgfp7ek4mfunuxtkne3aahp7yrwupgf._domainkey.yourdomain.com
Value: gmgfp7ek4mfunuxtkne3aahp7yrwupgf.dkim.amazonses.com

Important Note: Proxy Status should be set as “DNS Only”.

2nd Record:

Type: CNAME

Name: ssojnqlvhs6ma3jhsn26oirhev5tof5n._domainkey.yourdomain.com
Value: ssojnqlvhs6ma3jhsn26oirhev5tof5n.dkim.amazonses.com

Important Note: Proxy Status should be set as “DNS Only”.

3rd Record:

Type: CNAME
Name: e54qqjfkcwkturemparg5vwirbd5527d._domainkey.yourdomain.com
Value: e54qqjfkcwkturemparg5vwirbd5527d.dkim.amazonses.com

Important Note: Proxy Status should be set as “DNS Only”.

After adding all the CNAME Records, make sure to Refresh your AWS portal. If everything is set up correctly, the green “Successful” banners will show up in DKIM configuration. However, detection of these records may take up to 72 hours.

Setting MAIL FROM Domain

Setting a customized MAIL FROM Domain will let you achieve SPF Alignment and Pass results. From your Verified Identities page, you need to head to “Set MAIL FROM Domain”, click on “Edit” and choose any given subdomain name for the setup process. For example, it would seem as “subdomain.doamin.com”.

Important Note: In case you have already enabled Custom Mail From Domain, you can follow the next process.

Amazon SES will provide you with one TXT record and one MX record which you need to add it to your DNS zone.

After adding all the required TXT & MX Records, make sure to Refresh your AWS portal. If everything is set up correctly, the green “Successful” banner will show up.

Make sure to achieve this step with every single email address you have in your AmazonSES portal. Congrats, this is how the AmazonSES SPF and DKIM setup is done!

Using AWS in Different Regions

If you are using multiple AWS Regions, you have to perform the SPF & DKIM Authentication setup process for each Region. For example, if you use US East (N. Virginia) and US East (Ohio) Regions for AmazonSES, then you have to set Authentication on each region independently.

Comments
guest
0 Comments
Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us